{...}: let
  domains = import ./hosts.nix {};
  mkVirtHost = {
    domain,
    root,
    url,
  }: {
    name = "${domain}";
    value = {
      forceSSL = true;
      enableACME = true;
      root = "${root}";
    };
  };

  mkNixSyncRepository = {
    domain,
    root,
    url,
  }: {
    name = "${domain}";
    value = {
      path = "${root}";
      uri = "${url}";
    };
  };

  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains);
  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains);
in {
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "admin@vhack.eu";
      webroot = "/var/lib/acme/acme-challenge";
    };
  };

  networking.firewall = {
    allowedTCPPorts = [80 443];
  };
  services.nginx = {
    enable = true;
    virtualHosts = virtHosts;
  };

  services.nix-sync = {
    enable = true;
    repositories = nixSyncRepositories;
  };
}